Categories
Building Trust Privacy Security

Deep Dive: Scoring ISPs and Hosts on Privacy and Security

In April 2019 the Internet Society’s Online Trust Alliance (OTA) released its 10th Annual Online Trust Audit & Honor Roll. The Audit looks at the security and privacy practices of over 1,000 of the top sites on the Internet from retailers to governments. In this post we will take a deeper dive into the ISP/Hosts sector of the Audit. This sector is comprised of the top ISPs and other hosting organizations in the U.S. It includes everything from organizations that provide network access to organizations that host email services.

In the Audit, privacy statements are scored across 30 variables. ISP/Hosts were a decidedly mixed bag compared to other sectors, which tended to do either relatively well or poorly across the board in their statements. (Though to clear, the vast majority of organizations in the Audit had poor privacy statements, it was the most common reason for failure across privacy and security scoring.)

ISP/Hosts fell somewhat short in the presentation of their statements. OTA advocates several best practices that deal with how the privacy statement is displayed to make it as easy as possible for users to understand.

The simplest practice OTA advocates is a link to the privacy statement on the homepage so users can easily find it. Here ISP/Hosts did not fare well, with just 75% having links on their homepage – the lowest of any sector – compared to 89% of sites overall.

Another simple practice is putting a date stamp at the top indicating when the privacy statement was last updated. Here 43% of ISP/Hosts had a date stamp at the top, compared to 47% overall. This number is deceiving, however. Because ISP/Hosts were the lowest of any sector, they brought down the overall average significantly.

Finally, OTA advocates for the use of “layered” statements. The bar for getting points for a “layered” statement is low. This can be achieved with something as simple as a table of contents, to something more complex like an interactive statement or a summary outlining the longer privacy statement.

Just 25% of ISP/Hosts had a layered privacy statement, the lowest of any sector, compared to almost half (47%) of organizations overall. ISP/Hosts may have lagged behind in how they display their privacy statements, but they did much better in the content of the statement.

Specifically ISP/Hosts stood out in data sharing and retention language. Fully 82% of ISP/Hosts had language explicitly saying they did not share user data (except to complete a service for a customer), compared to 67% overall. In addition, 5% had data retention language. This means they explicitly said how long user data is retained and for what purpose. While 5% may seem small, only 2% of organizations had this language at all. In addition, ISP/Hosts were the second highest sector just behind the top 100 Internet retailers at 6%.

ISP/Hosts were right in the middle on one data sharing variable, showing that there is room for improvement in this area. Roughly half of ISP/Hosts (55%) had language stating that they would hold their third-party vendors to the same standards they hold themselves, compared to 57% of organizations overall. OTA advocates this practice because any organization that uses vendors must hold those vendors accountable. If a vendor abuses user data, and has a written agreement with an organization, that organization could be held liable for the vendor’s behavior.

ISP/Hosts privacy statements show that OTA standards are generally easy to meet. Small changes in these statements can go a long way to helping users understand the information being conveyed. These changes will also become increasingly important to keep up with the rapidly changing landscape of privacy laws and regulations around the world.

How would your organization do in the Audit? Read the report to see how you’d stack up, and use it to improve your site’s security and privacy. Then view the infographic or watch the recap video to learn more!

Categories
Building Trust Privacy Security

Deep Dive: U.S. Federal Government’s Security and Privacy Practices

In April 2019, the Internet Society’s Online Trust Alliance released its 10th Annual Online Trust Audit & Honor Roll. The Audit looks at the security and privacy practices of over 1,000 of the top sites on the Internet, from retailers to government sites. In this post we will take a deeper dive into the U.S. Federal Government sector of the Audit. The Government sector is defined as the top 100 sites in the U.S. Federal Government by traffic (based on Alexa ranking). Given the nature of the U.S. Government compared to companies, this sample has some unique properties, namely site security.

The most obvious place the government excels is in the area of encryption. The reason for this is largely due to a mandate from the Homeland Security Department that all U.S. Government sites be encrypted, but the standard should still be the same for any site. Put another way, the other sectors in the Audit do not have an excuse for lagging in security.

In site security the Government sector fared the best with 100% adoption of “Always-On Secure Socket Layer” (AOSSL) and/or “HTTP Strict Transport Security” (HSTS), compared to 91% of sites overall. The health sector fared the worst with 82% of sites using these technologies. Both technologies ensure that traffic on the website is encrypted.

Most sites in the Audit fared well in these areas, but the Government sector was the only one to achieve 100% adoption of these technologies. From OTA’s perspective all sites should be adopting these technologies and while it is encouraging that the U.S. Federal Government (or at least the top 100 sites) have, it is discouraging that all of the other sectors are not reaching the 100% adoption rate.

In addition, the Government sector saw improvement over time. All sectors improved somewhat, but the Federal Government was the only one to cross the finish line. Here again it is important to note that the Federal Government is unique in some ways. Homeland Security can simply mandate encryption and it happens. Companies and other types of organizations may not be as straightforward, but that is not an excuse not to work towards full encryption.

In 2017, 91% of Federal Government sites were encrypted, up to 100% this year as noted above. Other sectors improved as well. ISP/Hosting sites went from 70% in 2017 to 91% in 2018. Banks, a sector where encrypting website traffic is particularly important given the types of data sent over those sites, also saw a marked improvement. In 2017 just 76% of banks encrypted their sites. In 2018 that number jumped to 91%.

Despite improvements across the board in site encryption, banks are a good example of where improvement is not enough. The Government sector sets the standard. The lesson for all organizations from the success of the U.S. Federal Government is simple. It’s possible to encrypt large numbers of sites quickly – and it’s in the interest of any organization to do so.

How would your organization do in the Audit? Read the report to see how you’d stack up, and use it to improve your site’s security and privacy. Then view the infographic or watch the recap video to learn more!

Categories
Building Trust Privacy Security

Online Trust Audit for 2020 Presidential Campaigns Update

On 7 October 2019, the Internet Society’s Online Trust Alliance (OTA) released the Online Trust Audit for 2020 U.S. Presidential Campaigns. Overall, 30% of the campaigns made the Honor Roll, and 70% had a failure, mainly related to scores for their privacy statements. As part of this process, OTA reached out to the campaigns, offering to explain their specific Audit scores and ways to improve them. The campaigns were also told that they would be rescored in mid-November and the updated results would be published in early December. As a result, several campaigns contacted us to understand the methodology and scoring, and several of them made improvements.

Rescoring of all elements of the Audit was completed on 25 November, and the table below shows the updated results since release of the original Audit. Several campaigns have been suspended since early October (Messam, O’Rourke, Ryan, and Sanford, as well as Bullock and Sestak in early December). Campaigns shown in bold in the Honor Roll column made enough improvements to earn passing scores for their privacy statements and thereby achieve Honor Roll status. Campaigns shown in italics at the bottom of the table are new entrants since the Audit was released. Based on this updated list of 20 campaigns, 10 made the Honor Roll while 10 had a failure in one or more areas, creating a 50/50 split.

Figure 1 – 2020 Presidential Campaign Audit Supplement Results
Privacy Practice Updates

Three campaigns updated their privacy statements, and all three made changes that caused them to pass in the privacy area (a score of 60 or more) and achieve Honor Roll status. However, these were minor changes (added a date stamp, addressed children’s use of the site, layered the statement to make it easier to navigate) – none addressed the core data sharing issues highlighted in the original Audit.

For the new entrants, one had no privacy statement (De La Fuente), one had a privacy statement with a score below 60 (Bloomberg), and one had a privacy statement with a passing score that directly addressed the data sharing issues (Patrick).

Site Security Updates

Minor changes were noted in the site security aspects of the Audit, and none were substantial enough to cause a change in Honor Roll status. Two campaigns now have outdated software (lowering their score), and one added support for TLS 1.3.

Site security scores for the new entrants were strong, which is in line with other campaigns, and all of them support “always on SSL” or fully encrypted web sessions.

Consumer Protection Updates

A few changes were noted in the existing campaigns – one added support for DNSSEC, and one added DMARC support with a reject policy (the recommended email security best practice). These improved the campaigns’ scores, but did not affect their Honor Roll status. The two campaigns that originally had failures due to email authentication have been suspended so are no longer on the list.

For the new entrants, one has insufficient email authentication (so fails in Consumer Protection as well as Privacy), and while the other two have strong SPF and DKIM protection, only one uses DMARC with a reject policy. One supports DNSSEC.

Conclusion

The engagement with several of the campaigns was constructive and led to improvements that helped them earn Honor Roll status. We find that for most organizations the issue is more about awareness of best practices and their impact on overall trust than a refusal to follow those best practices. However, the data sharing language in all but one of the privacy statements is concerning. For example, most of the campaigns had language that would allow them to share data with “like minded organizations.” Language along these lines gives the campaigns broad discretion to share user data. We encourage campaigns (and the political parties they work with) to consider improvements to sharing language to increase transparency about how data is shared and give users more control over their data.

Campaign Sites and Privacy Statements

You can find the list of the URLs for the rescored campaign sites and associated privacy statements in the Supplement to Online Trust Audit – 2020 Presidential Campaigns.

This supplement was finalized before Kamala Harris dropped out of the U.S. presidential race on 3 December 2019.

Categories
Building Trust Privacy Security

Announcing the 2020 U.S. Presidential Campaign Audit

Today, the Internet Society’s Online Trust Alliance released a new report, the “2020 U.S. Presidential Campaign Audit,” analyzing the 23 top current presidential campaigns and their commitment to email/domain protection, website security, and responsible privacy practices. OTA evaluated the campaigns using the same methodology we used to assess nearly 1,200 organizations in the main Online Trust Audit released in April.

An alarming 70% of the campaign websites reviewed in the audit failed to meet OTA’s privacy and security standards, potentially exposing visitors to unnecessary risks. Only seven (30%) of the analyzed campaigns made the Honor Roll, a designation recognizing campaigns that displayed a commitment to using best practices to safeguard visitor information. The 2020 campaigns, taken together as a sector, lagged behind the Honor Roll average of all other sectors (70%) in the 2018 Online Trust Audit, and were far short of the Honor Roll achievement of 91% by U.S. federal government organizations.

To qualify for the Honor Roll, campaigns must have an overall score of 80% or higher, with no failure in any of the three categories examined. The campaigns who made the Honor Roll are:

  • Pete Buttigieg
  • Kamala Harris
  • Amy Klobuchar
  • Beto O’Rourke
  • Bernie Sanders
  • Donald Trump
  • Marianne Williamson

Website security scores are high. This can be attributed to the relative “newness” of these campaign sites and the fact that they were built recently on secured platforms. The lack of email authentication for two of the campaigns is a surprise, since these are long-established best practices and modern infrastructure should support SPF, DKIM, and DMARC.

Privacy is a major problem for campaigns, causing failure for 70% of them. There were a variety of reasons for failure, including:

  • Lack of Privacy Statement – Four campaigns had no discoverable privacy statement. This yields a statement score of 0 and is an automatic failure. This may be an oversight, but is inexcusable since every campaign website is collecting data. Fortunately, it can be remedied quickly by adding a privacy statement.
  • Inadequate Statement – Many campaign privacy statements were silent on the issue of data sharing, retention, etc. so they did not give clear notice and transparency about their practices. Such disclosures are generally accepted best practice.
  • Freely Sharing Data – Several privacy statements said they could share data with “like-minded entities” or unidentified third parties, effectively putting no limits on the use of personal data.

We encourage all campaigns to remain vigilant regarding security, and to revisit their privacy statements. Disclosing that data may be shared with “like-minded” organizations may be a common practice for campaigns, but is still concerning in light of the depth of demographic and financial information being collected. Since even campaigns who made the Honor Roll had poor privacy scores, OTA calls on all campaigns to consider updating their statement and practices to better reflect consumer concerns pertaining to the collection, use, retention, and sharing of their personal information.

We reached out to each campaign the week of 30 September, prompting some campaigns to make updates, which we re-evaluated on 7 October. We are committed to helping campaigns improve their efforts to keep both people and information safe online by providing tailored best practice recommendations upon request. We will reassess active presidential campaigns in mid-November and provide a short supplement to this report, highlighting any improvements.

We encourage you to read the report, and to make sure your organization (of any kind) is following the best practices outlined in Appendix C – Best Practices Checklist.

Categories
Building Trust Privacy Security

Deep Dive: How Do Banks Score on Privacy and Security?

In April 2019 the Internet Society’s Online Trust Alliance published its 10th annual Online Trust Audit & Honor Roll assessing the security and privacy of 1,200 top organizations. The Banking sector includes the top 100 banks in the U.S., based on assets according to the Federal Deposit Insurance Corporation (FDIC). Banks had a standout year, with a dramatic increase in scores across the board. Let’s take a closer look.

Overall, 73% of banks made the Honor Roll, putting the banking sector 4th behind the News and Media (78%), Consumer Services (85%), and the U.S. Federal Government (91%) sectors. In the previous Audit, only 27% made the grade. This large jump is due to improvements in all three scoring categories: email authentication, site security, and privacy.

Email 

Banks, like most sectors, came close to 100% adoption in the two main email security technologies studied in the Audit: SPF (93%) and DKIM (87%). In addition, banks saw a marked improvement in how many sites implemented both both technologies at 87% in 2018, up from 60% in 2017. This puts banks among the most improved sectors in this area.

DMARC builds on SPF and DKIM results, provides a means for feedback reports and adds visibility for receivers on how to process messages that fail authentication. Banks also did well in DMARC adoption, with the second highest adoption rate (70%) of any sector, second only to the U.S. Federal Government (93%).

Site Security

Though banks did well in overall site security (and led in areas such as lowest occurrence of cross-site scripting), there were a few areas for improvement. They had by far the highest rate of malware on the sites (10%, vs an overall average of 2%). They also had one of the lowest adoption rates for presence of a vulnerability reporting mechanism (6% vs an overall average of 11%). In light of recent large data breaches, it is especially important to provide a way for security researchers to report vulnerabilities in an efficient way.

Privacy

Like most sectors, banks did not fare well in privacy. The Audit tracks privacy in two ways: by the number of trackers on a site, and by analyzing the site’s privacy statement. In terms of trackers, banks did well. They were among the top scorers with 44 of 45 available points. (The score is derived using publicly available software to analyze how many trackers each site uses, the fewer bad trackers, the higher the score.) Though there was marked improvement from the prior Audit, banks still lagged, like most sites, in their privacy statements. Banks had a privacy statement score of only 25 out of 55, towards the low end of the spectrum.

The primary cause of failures was in sharing and data retention language. Only 22% of banks had language about data sharing, lower than the overall average across sectors. While most sites fared poorly in data retention language, banks were particularly bad. No banks had satisfactory data retention language in their privacy statement. Given the sensitivity of data that banks have, it is important that there be some kind of data retention language.

Learn More

How would your organization do in the Audit? Check out Appendix E – the Best Practice Checklist – to see how you’d stack up, and use it to improve your site’s security and privacy. Then read the report, view the infographic, or watch the recap video to learn more!

Categories
Building Trust

Announcing the Online Trust Audit & Honor Roll Results

Do you know how – or even if – your favorite retailer, or your bank, or your ISP is working to protect you? The Online Trust Alliancerecognizes excellence in consumer protection, data security and responsible privacy practices. Today, we released the 10th annual Online Trust Audit & Honor Roll, covering more than 1,200 predominantly consumer-facing websites, and found that 70% of the websites we analyzed qualified for the Honor Roll. That’s the highest proportion ever, driven primarily by improvements in email authentication and session encryption.

Highlights

Overall, we found a strong move toward encryption, with 93% of sites encrypting all web sessions. Email authentication is also at record highs; 76% use both SPF and DKIM (which prevent spoofed/forged emails) and 50% have a DMARC record (which provides instruction on how to handle messages that fail authentication).

It’s not all good news, though. We also found that only 11% of organizations use mechanisms for vulnerability reporting, which allows users to report bugs and security problems. Only 6% use Certificate Authority Authorization, which limits certificate abuse. And overall privacy scores dropped compared to last year, primarily due to more stringent scoring in light of the E.U.’s General Data Protection Regulation and the California Consumer Privacy Act. In addition, 15% of organizations had at least one data loss or cyber breach incident.

The U.S. Federal government sector surged to the front with 91% of sites placing on the honor roll, a dramatic turnaround from 2017 when they had bottomed out at 39%. Consumer services (including social media, payment services, video streaming, file sharing, and dating) finished second this year at 85%. News & Media and then Banks came in at 78% and 73%, respectively. Internet Retailers came in at 65%, barely edging out ISPs, carriers, hosters and email providers at 63%. Healthcare, a new sector this year, had the lowest overall honor roll placement at 57%.

Top Scorers

The Top 50 (Appendix C) shine bright with the best overall scores across all 1,200 sites we analyzed. They are:

  • Top Overall: Google Play
  • Top Bank: First National Bank of Omaha
  • Top Consumer: Paypal
  • Top Healthcare: 23andMe
  • Top ISP/Host: Google Cloud Platform
  • Top News: Google News
  • Top Retailer: Google Play
  • Top U.S. Federal: Federal Emergency Management Agency (FEMA)

Audit Resources

Too many numbers in here? We have some resources to help distill down the highlights, including:

Webinar

We’re hosting a webinar to discuss the Audit results on 24 April, from 1PM-2PM EDT (17:00 UTC) for the ISOC community webinar. See https://dev.internetsociety.org/events/ota-honor-roll-webinar/ for more information.

Improve Your Security & Privacy

How would your organization do in the Audit? Check out Appendix E – the Best Practice Checklist – to see how you’d stack up, and use it to improve your site’s security and privacy.

We hope you’ll read the report, view the infographic, watch the video, share the news, and/or join us on the webinar. And be sure to watch OTA on TwitterFacebook, and LinkedIn and share using #OTATrustAuditHonorRoll!

Categories
Building Trust

Getting Ready for the 2016 Online Trust Audit

Got Trust?  The Online Trust Audit continues to serve as benchmark of security, privacy and consumer protection best practices for organizations throughout the world.  Consistent with OTA’s view such standards and practices need to continually evolve to reflect the threat landscape, new standards and regulatory requirements, this year’s methodology and scoring is being updated.

Initial changes for the 2016 methodology have focused on two primary areas, adoption of current SSL standards and the global privacy landscape, (already applied to the 2016 Presidential Candidates audit and planed audit for the upcoming eFile audit). As with past methodology updates made each year, the SSL tools have been enhanced to reflect compliance with current standards and protocols, while placing increased weighting on the exposure of known vulnerabilities and risks.

Through a multi-stakeholder review process the working group agreed to “raise the bar”.  Starting in 2016, sites with scores of SSL C’s will automatically receive failing grades in security, resulting in an overall audit fail.  This change was necessitated as the primary causes of C grades are typically easy to address and a site with such scores should not be considered in the same mix as those site qualifying for the Honor Roll with A or B SSL scores.

On the privacy front previous bonus points for short/layered notices and Do-Not-Track, (DNT) disclosures will move to part of the core privacy policy scoring methodology.   With the goals of supporting responsible privacy practices and the progress of the DNT standard through the W3C standard process, the disclosure (or more often the lack there of) of honoring or not honoring browser based Do-No-Track settings has been integrated into the core privacy score.  Sites which fail to disclose their status in honoring such user settings, or which function when third-party cookies are blocked, lose points as part of the core privacy policy scores. While some  sites currently point to self-regulatory solutions such as those proposed by the Digital Advertising Alliance (DAA), OTA — along with the privacy community, Federal Trade Commission and European Union — does not believe such solutions address the core consumer issues of data collection and usage and intent of the DNT standard.

Make a commitment and move from compliance to stewardship.  To see if your site and brand is postured to qualify for the 2016 Honor Roll, visit the Online Trust Audit Methodology.  Share your comments and help enhance data protection drive responsible privacy and data collection practices.

Categories
Building Trust

Does Your Favorite Presidential Candidate Make the Grade?

As the Presidential race kicks into high gear, voters are evaluating how candidates will tackle tough issues on foreign and domestic policy.  Let’s hope they don’t overlook topics relating to online privacy and security.  A recent Pew Research Center survey indicates that 74% of American believe control over personal information is “very important,” yet only 9% believe they have such control.

The Online Trust Alliance (OTA) recently looked at twenty-three candidates’ websites to determine how they are managing voters’ privacy and security concerns.

What we found might be surprising. Of the twenty-three candidates’ sites reviewed, only 6 received a “passing” grade on the three areas scored – privacy, security and consumer protection.  Those 6 candidates also made the “Honor Roll” for their data stewardship while the rest (17) received a failing grade, primarily for their privacy policies.  Most candidates had clear privacy policies in place but 4 didn’t have a discoverable policy so there is no way to know what happens to ones data. Voters should also take notice that when they sign-up to support or make a donation to a candidate, that information can also be shared or sold to other like-minded organizations.  While this may be standard operating procedure among political candidates the question has to be asked why politicians aren’t held to the same standards as e-commerce websites that must adhere to Fair Information Practice Principles, clearly stating the use, sharing and retention of data.

OTA recommends that candidates’ adhere to the following best practices:

  • Have a privacy policy that is short, less than 500 words, is multi-lingual, layered and is written for consumers not lawyers
  • Make privacy policy accessible via a link on the footer of every page, date stamped with archived updates
  • Restrict data sharing to only third parties necessary to support your campaign
  • Honor a donor’s request to unsubscribe from your mailing lists and remove data from database
  • Respect a user’s browser “Do Not Track” setting
  • Prepare for a data breach and have an incident readiness plan
  • Ensure that email servers are configured to help protect consumers from spear phishing and forged email

For more information download the audit and join us for a webinar about the Presidential Honor Roll and methodology on Friday, September 25th at 10 a.m. PDT/1 p.m. EDT. 

Categories
Building Trust

An Open Letter to The Presidential Candidates

As campaigns ramp up for candidates, political parties and super PACs, it is time for politicians to think about the privacy, security and sensitivity of the information their donors and constituents entrust to them. The nation has been alarmed by data collection practices in the public and private sector, including those of the NSA. Now candidates must examine their own practices. Digital data is the lifeblood of the economy but it is being exploited daily by cyber-criminals and state sponsored actors placing America at the crossroads of a trust meltdown, underscoring the need for candidates to walk the talk and put voters and their privacy at the forefront.

While politicians have been successful in obtaining “carve outs” from anti-spam and related legislation, based on a preliminary review OTA believes most consumers would be surprised at the liberties being taken with their data when they donate or volunteer to help a candidate. Even though the language of many candidates’ privacy policies may disclose they share personal information broadly with others (other candidates, organizations, campaigns, groups or causes that THEY believe have similar political viewpoints, principles or objectives), my question is:  how many consumers actually realize this or read it?

In this post-Snowden era with its increased anxiety regarding industry privacy practices, including those of Google, Facebook, Apple, Microsoft and others, it is time to realign data privacy to consumer expectations. OTA calls for greater disclosure on collection, use, retention and sharing as well as the ability for consumers to opt out (or ideally opt in) of all such sharing.

It’s time to move beyond outward facing messages to a recognition that it is each candidate’s duty to protect and be a steward of the data and personally identifiable information voters entrust to them. Make respect for consumers and their privacy part of your political platform. Complete a self-audit to see whether your campaign or candidate can make the grade.  OTA has resources, tools and guidance available to help candidates understand and implement best practices to help keep their sites, messaging and data safe.

  1. Do you restrict data sharing to only third parties necessary to support your campaign and do they commit to hold all such data in confidence?
  2. Do you honor a donor’s request to unsubscribe from your mailing lists and remove their data from your database?
  3. Is your privacy policy accessible via a link on the footer of every page, date stamped and are its updates archived?
  4. Do you disclose and respect a user’s browser “Do Not Track” setting?
  5. Can a reader comprehend your privacy policy?  Can you rewrite your privacy policy as a short layered notice; challenge yourself to write a short layered policy under 500 words that is written for the consumer vs. attorneys?
  6. Is your policy multi-lingual and/or localized in the primary language of your constituents? 
  7. Are you prepared for a data breach? Do you have an incident readiness plan?
  8. Are your email servers configured to help protect consumers from spear phishing and forged email?  
  9. Are you adhering to best practices to help protect and secure data or are you following in the footsteps of Wyndham Hotels?
  10. If you were a business would you be able to pass muster with the FTC or California Department of Justice?

Let’s work together in a bi-partisan effort to respect voters’ data and their privacy. For more information and resources on how sites can adopt trustworthy best practices see the annual Online Trust Audiand methodology. OTA is here to help!